Advanced persistent threat (APT) detection in a mobile device

Assignee

• International Business Machines Corporation · US

Inventors

• Suresh N. Chari · Yorktown Heights, US
• Zhongshu Gu · Ridgewood, US
• Heqing Huang · Mahwah, US
• Xiaokui Shu · Ossining, US
• Jialong Zhang · White Plains, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F2221/2141
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Advanced persistent threats to a mobile device are detected and prevented by leveraging the built-in mandatory access control (MAC) environment in the mobile operating system in a “stateful” manner. To this end, the MAC mechanism is placed in a permissive mode of operation wherein permission denials are logged but not enforced. The mobile device security environment is augmented to include a monitoring application that is instantiated with system privileges. The application monitors application execution parameters of one or more mobile applications executing on the device. These application execution parameters including, without limitation, the permission denials, are collected and used by the monitoring application to facilitate a stateful monitoring of the operating system security environment. By assembling security-sensitive events over a time period, the system identifies an advanced persistent threat (APT) that otherwise leverages multiple steps using benign components. Once an APT has been detected, a mitigation action (e.g., terminating the malicious process) is undertaken.